Department of Homeland Security admits cybersecurity bill could 'sweep away' privacy...
Cybersecurity bill could 'sweep away' internet users'
privacy, agency warns
Homeland Security admits Cybersecurity Information
Sharing Act raises concerns while corporations and data brokers lobby for bill
as it returns to Senate
By Sam Thielman
Monday 3 August 2015 17.23 EDT Last modified on Monday 3
August 2015 18.20 EDT
The Department of Homeland Security (DHS) on Monday said
a controversial new surveillance bill could sweep away “important privacy
protections”, a move that bodes ill for the measure’s return to the floor of
the Senate this week.
The latest in a series of failed attempts to reform
cybersecurity, the Cybersecurity Information Sharing Act (Cisa) grants broad
latitude to tech companies, data brokers and anyone with a web-based data
collection to mine user information and then share it with “appropriate Federal
entities”, which themselves then have permission to share it throughout the
government.
Minnesota senator Al Franken queried the DHS in July;
deputy secretary of the department Alejandro Mayorkas responded today that some
provisions of the bill “could sweep away important privacy protections” and
that the proposed legislation “raises privacy and civil liberties concerns”.
Much of the attention on Cisa has been directed at
companies such as Google, Facebook and Comcast, which have large hoards of
internet user behavior. But arguably more important are data brokers. Among the
groups lobbying for the passage of Cisa are Experian, which tracks consumer
trends using information from loyalty cards and other sources and licenses the
information to help target advertising; Oracle, whose Data Cloud product works
similarly; and Hitrust, which aggregates healthcare information.
The paragraph generating the most concern can be found in
section 4 of the bill: “[a] private entity may, for cybersecurity purposes,
monitor A) the information systems of such a private entity; B) the information
systems of another entity, upon written consent of such other entity […] and D)
information that is stored on, processed by, or transiting the information
systems monitored by the private entity under this paragraph.”
Debate on the bill could start on Wednesday with a vote
on Thursday.
Privacy concerns are already significant in the private
sector, where the use of personal data at scale is largely unregulated. “With
respect to data brokers that sell marketing products, the Commission recommends
that Congress consider legislation requiring data brokers to provide consumers
access to their data, including sensitive data held about them, at a reasonable
level of detail, and the ability to opt out of having it shared for marketing
purposes,” wrote the FTC in a whitepaper titled Data Brokers: A Call for
Transparency and Accountability last May. Such legislation has been introduced,
but is repeatedly referred to committee.
Data brokers are anxious to avoid losing the ability to
aggregate vast quantities of personal data - the sale and licensing of consumer
databases is a lucrative practice, as web advertising booms and TV advertising
becomes more sophisticated.
It’s also a practice that prefers not to disclose exactly
what information it is holding. Mike Seay, an Illinois man whose child died the
year previous, received in 2014 a junk mail flier from OfficeMax addressed to
“Mike Seay, Daughter Killed in Car Crash” (this was indeed how his 17-year-old
daughter had died).
Cisa’s mandate would seem to cover the publicly used
interfaces of the health insurers and banks – including SunTrust, Prudential,
American Express, Aflac and Bank of America – that lobbied on the bill.
Drew Mitnick of digital advocacy organization Access Now
pointed to language in the bill that would give participants in the proposed
information-sharing program immunity not just from prosecution, but from
regulatory action. “The transparency requirement is so narrow that, if you met
the requirements within the bill to get protection, it would give
[participating companies] broad range to collect data and then send it to the
government.”
Lobby group the Financial Services Roundtable (FSR) on
Monday launched an advertising campaign, stopcyberthreats.com, aimed at
tackling an online campaign by privacy activists who have dubbed Cisa “the
Darth Vader bill” and are worried by the sweeping legal immunity corporations
will receive under Cisa.
If the bill were to pass and enough of those companies
were to cooperate with any given agency, the amount of information floating
free within the federal government could easily extend to credit card histories
(collected by data miners at Argus), lists of goods purchased (aggregated from
customer loyalty cards by companies including Acxiom and Experian), and
healthcare records (tracked by insurers).
Credit check giant Experian said that the company would
like to see the legislation pass. “Experian supports legislation that would
facilitate greater sharing of cyber threat information among appropriate
private and government entities,” said a company spokeswoman in a statement to
the Guardian. “Such sharing arrangements, under parameters set by law, could
improve our mutual efforts to better detect and respond to emerging cyber
threats.”
The company also laid the duty to walk the knife’s edge
between citizens’ information security and their personal safety at the feet of
their elected officials. “Congress has the responsibility to balance the need
for facilitating greater information sharing, and thereby enhancing cyber
security, with important consumer privacy concerns. We encourage and support
Congress’ effort in striking this balance.”
Comments
Post a Comment